On 10 March 2021, the EDPB and the EDPS released their joint opinion on the Data Governance Act (DGA), the European Commission’s Proposal for a Regulation on European data governance.
The DGA is an essential part of a comprehensive European data strategy, a cornerstone piece of legislation on sharing and re-using data available in the public sector that aims at increasing trust in the digital economy and strengthening the digital single market.
The EDPB and EDPS, however, warn that the legislative proposal poses the following risks:
The proposal could create a parallel set of rules that are not consistent with the GDPR, nor with Regulation 2018/1807/EU on the framework for the free flow of non-personal data. Furthermore, since EU Directive 2019/1024 on open data and reuse of public sector information (i.e. the Open Data Directive) already provides rules on the re-use of public sector information, an overlap with its scope would add to the confusion.
The DGA introduces a set of new definitions, such as ‘data holder’, ‘data sharing service provider’ or ‘data user’. These new terms would apply to the processing of personal data as well. Based on the scope of the definitions, however, they do not seem compatible with those in the GDPR. For example, it is unclear whether “data user” is equivalent to data subject, or if it also encompasses data controllers and, if so, under which conditions.
As result, the EDPB and EDPS advise that these definitions not be left open for interpretation without further elaboration. In order that the DGA is better aligned with existing terminology, they suggest that the focus not be on specific actors, but on the roles of these parties in terms of data processing activities.
The EDPB and the EDPS also emphasise that the DGA should complement the GDPR without prejudice. Most importantly, the DGA does not establish a legal basis for the re-use of personal data other than the principles provided for in the GDPR. Parties involved in data sharing must base their processing of personal data on one of the GDPR's legal bases (e.g. consent), and must adhere to the principles of data processing (e.g. transparency, data minimisation and purpose limitation).
The Commission’s decision to regulate the re-use of personal and non-personal data of the public sector in a single piece of legislation blurs the line between the two categories, making it considerably more difficult to draw a proper distinction between rules for personal or non-personal data. For instance, the DGA introduces “permissions" as a new method to obtain data, saying that legal persons can issue a permission to re-use data, but it remains unclear whether or not this only refers to non-personal data. In addition, it is unclear how this permission will relate to the legal bases for the processing of personal data as defined in the GDPR. Furthermore, the DGA does not address the issue of mixed datasets (i.e. datasets containing both personal and non-personal or industrial data).
Furthermore, privacy regulators believe that the DGA does not adequately take into account the data protection risks of individuals. This is clear in the definition of data altruism, a concept that is now codified by the DGA, which refers to voluntary data sharing without any compensation for purposes of general interest. While this could facilitate the use of personal data in a number of situations (e.g. scientific research), the regulators highlight that an individual cannot waive the right to data protection. To resolve this issue, the EDPB and EDPS recommend that there be more elaboration on the substance of the consent-related matters of data altruism and their relationship with the conditions for valid consent as set down by the GDPR.
In terms of new institutional settings, the EDPB and EDPS contest the proposed labelling system for data sharing services and the vetting and registration procedures of data altruism organisations. Regarding regulatory oversight, although the EDPB and EDPS welcome the new European Data Innovation Board, they strongly lobby for national data protection supervisory authorities to be designated as competent authorities for monitoring and supervising compliance with the provisions of the DGA.
How the Commission will react to these criticisms remains to be seen.
For more information on the DGA, see the press release and the joint opinion. To discuss how EU data protection regulations could affect your business, contact your regular CMS partner or CMS experts:
Article co-authored by Anna Zsófia Horváth.